C# 如何将.evtx事件日志转换为csv
我的windows服务需要将一个事件日志的内容保存到一个文件中。这是由EventLogSession.ClearLog完成的。但是,我无法强制它将事件日志直接保存到CSV。保存的格式为EVTXC# 如何将.evtx事件日志转换为csv,c#,event-log,C#,Event Log,我的windows服务需要将一个事件日志的内容保存到一个文件中。这是由EventLogSession.ClearLog完成的。但是,我无法强制它将事件日志直接保存到CSV。保存的格式为EVTX EventLogSession els = new EventLogSession(); //stel de filename samen door het appdata pad te combinen met een tempfile name
EventLogSession els = new EventLogSession();
//stel de filename samen door het appdata pad te combinen met een tempfile name
string tempData = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "templog.csv");
// Clears all the events and archives them to the .evtx file
els.ClearLog(eventLogName, tempData); // Backup File Path
谢谢 使用日志解析器提供的API很容易做到这一点 下载并安装 添加对COM库MS Utility 1.0类型库-LogParser接口集合的引用。搜索日志大大缩小了列表 更改引用的属性,使其不嵌入互操作类型。 如果不这样做,将出现如下编译错误: 无法嵌入互操作类型“MSUtil.comcsvoutContextClassClass”。改用适用的接口 LogParser帮助文件的内容对API有很好的参考价值,但我已经包含了代码内联使用的部分
using System;
using MSUtil;
namespace LogParserTest
{
using LogQuery = LogQueryClassClass;
using EventLogInput = COMEventLogInputContextClassClass;
using CSVOutput = COMCSVOutputContextClassClass;
using XMLOutput = COMXMLOutputContextClassClass;
class Program
{
static void Main(string[] args)
{
try
{
// Instantiate the LogQuery object
LogQuery oLogQuery = new LogQuery();
// Instantiate the Event Log Input Format object
EventLogInput eventInputFormat = new EventLogInput();
// When set to "FW", events are retrieved from the oldest to the
// newest. When set to "BW", events are retrieved from the newest
// to the oldest.
eventInputFormat.direction = "FW";
// Event text messages often span multiple lines. When this parameter
// is set to "ON", the EVT input format preserves readability of the
// messages by removing carriage-return, line-feed, and multiple space
// characters from the message text.
// When this parameter is set to "OFF", the EVT input format returns
// the original message text with no intervening post-processing.
eventInputFormat.formatMessage = true;
eventInputFormat.binaryFormat = "ASC";
eventInputFormat.stringsSep = ",";
CSVOutput csvOutputFormat = new CSVOutput();
// ON: always write the header;
// OFF: never write the header;
// AUTO: write the header only when not appending to an existing file.
csvOutputFormat.headers = "ON";
// Setting this parameter to "ON" causes the CSV output format to write
// a tab character after each comma field separator, in order to
// improve readability of the CSV output. Note that using tabs between
// field values might generate output that is not compatible with
// certain spreadsheet applications.
csvOutputFormat.tabs = false;
// ON: always enclose field values within double-quote characters;
// OFF: never enclose field values within double-quote characters;
// AUTO: enclose within double-quote characters only those field
// values that contain comma (,) characters.
csvOutputFormat.oDQuotes = "AUTO";
// This parameter specifies the date and/or time format to use when
// formatting values of the TIMESTAMP data type.
csvOutputFormat.oTsFormat = "yyyy-MM-dd";
// 0 is the system codepage, -1 is UNICODE.
csvOutputFormat.oCodepage = -1;
// 0: existing files are appended with the output;
// 1: existing files are overwritten with the output;
// 2: existing files are left intact, discarding the output.
csvOutputFormat.fileMode = 1;
/*
EventLog STRING Name of the Event Log or Event Log backup file
RecordNumber INTEGER Index of this event
TimeGenerated TIMESTAMP Event generated date/time (local time)
TimeWritten TIMESTAMP Event logged date/time (local time)
EventID INTEGER The ID of the event
EventType INTEGER The numeric type of the event
EventTypeName STRING The descriptive type of the event
EventCategory INTEGER The numeric category of the event
EventCategoryName STRING The descriptive category of the event
SourceName STRING The source that generated the event
Strings STRING The textual data
ComputerName STRING The name of the computer
SID STRING The Security Identifier associated with the event
Message STRING The full event message
Data STRING The binary data associated with the event
*/
string query = @"SELECT TOP 10 EventLog, RecordNumber, Message INTO "
// Enclose path in single ticks to handle spaces.
query += "'" + FullPathToCsv + "' FROM ";
// Name of application Log, System, Security, Application, CustomLogName
query += "System";
oLogQuery.ExecuteBatch(query, eventInputFormat, csvOutputFormat);
}
catch (System.Runtime.InteropServices.COMException ex)
{
Console.WriteLine("Unexpected error: " + ex.Message);
}
}
}
}
事实证明,所有现有的解决方案都不符合我的要求。 我只是想要一个将evtx作为输入并输出csv的工具。不多不少。 我自己造了一个,效果很好。它被称为EVTX2CV
您可以在此处下载:或直接通过下载。此Powershell功能是我能找到的最有效的功能。不是C代码,但我认为它可能有用。它在Powershell中采用文件名evtx或文件名的可变数组,如下所示: [array]$filelist= 文件1, 文件2, 文件3
如果您只需要将EVTX转换为CSV的工具,可以直接使用LogParser工具:
C:\> logparser "SELECT TimeGenerated, SourceName, EventCategoryName, EventId, Message INTO C:\eventlog.csv FROM C:\eventlog.evtx" -i:EVT
我可以用它在大约10分钟内将一个3 GB EVTX文件转换为CSV。删除了downvote和有关软件下载不起作用的评论。解决方案不错。感谢您为不想在logparser api中使用我的答案的用户提供了powershell选项。若要导出目录中的所有.evtx文件,请将其放入bat文件中:设置lparser=C:\Program files x86\Log Parser 2.2\logparser.exe for/r%%i in*。evtx do%lparser%选择TimeGenerated、SourceName、EventCategoryName、EventId、,从“%~nxi'-i:EVT”将消息发送到“%~nxi.csv”
C:\> logparser "SELECT TimeGenerated, SourceName, EventCategoryName, EventId, Message INTO C:\eventlog.csv FROM C:\eventlog.evtx" -i:EVT